iSCSI MIB - comments on iscsiAccessList

To: ips@ece.cmu.edu
Subject: iSCSI MIB - comments on iscsiAccessList
From: Keith McCloghrie <kzm@cisco.com>
Date: Thu, 1 Nov 2001 09:16:18 -0800 (PST)
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii
Sender: owner-ips@ece.cmu.edu

I have some questions/suggestions regarding iscsiAccessList
in draft-ietf-ips-iscsi-mib-03.txt.
 
> 6.9.  iscsiAccessList
> 
>    The iscsiAccessListAttributesTable contains an entry for each
>    initiator that is allowed to access the target under which it
>    appears.  If a target allows access to any initiator, an
>    AccessListAttributesEntry with the initiator's iSCSI name should be
>    used.

I think the last sentence is 

a) confusing (do you mean "any initiator" ?) and 
b) may not always be true - with a wildcard mechanism ("iscsi" in the next
   paragaph), an initiator's name does not have to be in the table, right ?

>    This table does not cover all possible access control schemes that a
>    vendor could implement.  If access to an initiator cannot be
>    determined just by its iSCSI name, an implementation may either
>    include a single entry per target with the initiator name "iscsi", or
>    may choose to place no entries in this table.
 
Does no entries in the table allow any initiator access, or does it
deny access to all initiators ?

> iscsiAccessListAttributesTable OBJECT-TYPE
>     SYNTAX        SEQUENCE OF IscsiAccessListAttributesEntry
>     MAX-ACCESS    not-accessible
>     STATUS        current
>     DESCRIPTION
>         "A list of iSCSI initiators which will be granted access
>         to iSCSI resources through targets within the iSCSI
>         instance."

Can you say explicitly:

- what does no entries in the table mean, and
- how does the wildcard entry (an entry with name="iscsi") work. 

> ...
> 
> iscsiALInitiatorName OBJECT-TYPE
>     SYNTAX        SnmpAdminString
>     MAX-ACCESS    read-only
>     STATUS        current
>     DESCRIPTION
>         "An octet string that defines an initiator identified
>      by the <InitiatorName> key of the Login Command which will
>      be granted access. If this string has the value of 'iscsi',
>      then any initiator may access this target."
> ::= { iscsiAccessListAttributesEntry 2 }
 
If you intend that an entry of "iscsi" means that "any initiator
name is allowed", then I think it's a little strange that a special
meaning applies to a name that an administrator might just happen to
use without realising it.

Here are three alternatives which I think are better:

1. have a column in the iscsiTargetAttributesTable which enables/disables
   the use of the access-list.  (Then, disabling has the same function as
   "icsci" entry.)

2. have the zero-length name allow access to any name; (this is a special
   case of #3 below.)

3. have an additional column, iscsiALInitiatorMatchType, which is an
   INTEGER { exact(1), prefix(2) } where 'exact' is the type you currently
   have, and 'prefix' says that longer initiator names will match
   if they can be truncated to the value of iscsiALInitiatorName.

Keith.

Follow-Ups:
- Re: iSCSI MIB - comments on iscsiAccessList
  - From: Mark Bakke <mbakke@cisco.com>

Prev by Date: RE: FCencap: Missing SOF/EOF characters
Next by Date: Re: iSCSI: current UNH Plugfest
Prev by thread: Re: iSCSI: iSCSI Rev 8
Next by thread: Re: iSCSI MIB - comments on iscsiAccessList
Index(es):
- Date
- Thread

Home

Last updated: Thu Nov 01 14:17:33 2001
7512 messages in chronological order